February 26, 2022 Roberto Puzzanghera 2 comments
The RFC-821 Section 3.5 states that
The sender-SMTP MUST ensure that the <domain> parameter in a HELO command is a valid principal host domain name for the client host. As a result, the receiver-SMTP will not have to perform MX resolution on this name in order to validate the HELO parameter.
The HELO receiver MAY verify that the HELO parameter really corresponds to the IP address of the sender. However, the receiver MUST NOT refuse to accept a message, even if the sender's HELO command fails verification.
Not denying clients with a bad HELO/EHLO DNS
can be also considered a wise thing, just to avoid to update too frequently our welcomelist for those clients who didn't set up their DNS
properly.
On the other hand, it is a matter of fact that most spammers use fake domains -very often our own domains-, or even random strings or not solving domains, as their HELO/EHLO
s.
For example, consider the following log lines (I have plenty of them in my logs):
2022-02-01 10:19:53.142643500 helo-dns-check: HELO [yq3H9cDKgS] from [109.237.103.41] doesn't solve 2022-02-01 09:53:05.772497500 helo-dns-check: HELO [sagredo.eu] is a local domain but IP [183.240.55.119] is not a RELAYCLIENT
I think that at least such kind of failures should be blocked. I'll explain below how to set up a filter which deny clients with these particular DNS
failures:
HELO/EHLO
s, i.e. random strings or fake domains with no A
record at all. HELO/EHLO
s containing one of our domains, when the DNS
doesn't solve to one of our IP
s and RELAYCLIENT
is not defined;A
record doesn't match the domain in their HELO/EHLO
. This is completely against RFC-821
, so my configuration will not refuse these connections, just log them.We'll make use of a qmail-spp "helodnscheck" plugin that I derived from an original work of Perolo Silantico, Jason Frisvold and Ren Bing. Here is the original plugin and my one:
The logic of the original plugin is to deny clients of type 3, which of course includes types 1 and 2, but without being able to select 1 and/or 2 from the others. My modified version, instead, can ban only clients of type 1 and/or 2 or work as the original program.
I assume that you have already patched qmail
with qmail-spp
. If you are using my combined patch you are ok.
Download, compile and install:
cd /usr/local/src wget https://notes.sagredo.eu/files/qmail/patches/qmail-spp/plugins/helodnscheck/helodnscheck7.c gcc -o /var/qmail/plugins/helodnscheck helodnscheck7.c -lresolv
Now enable the plugin, adding it to /var/qmail/control/smtpplugins in the [helo]
section:
[helo] plugins/helodnscheck
List all your IP
s inside the file control/moreipme (you should have already done this if you configured the "moreipme" patch):
1.2.3.4 5.6.7.8
Then enable qmail-spp
and set up the plugin parameters to your needs. I suggest the following in your qmail-smtpd
run file:
export ENABLE_SPP=1 export HELO_DNS_CHECK=PLRIV
In this way only bad HELO
s of type 1 (I
) and 2 (V
) will be denied unless RELAYCLIENT
is defined (R
). All other DNS
failures will pass through (P
) and each of them will be logged (L
).
Be aware that the HELO
check can't work well on the submission port, where your IP
cannot match the HELO
, so you don't have to define HELO_DNS_CHECK
in your qmail-submission
run file.
Of course you can define HELO_DNS_CHECK
via tcprules
or allow a particular IP
via NOHELODNSCHECK
as follows:
111.222.333.444:allow, NOHELODNSCHECK="" :allow,HELO_DNS_CHECK="PLRIV"
The program's behaviour is defined in the HELO_DNS_CHECK
variable:
The above can be combined, so BL means block & log if TCPREMOTEIP
is not set.
Note: If there is no HELO/EHLO
argument, it defaults to a permanent block.
qq_temporary_problem_(#4.3.0)
June 2, 2023 06:32
qq_temporary_problem_(#4.3.0)
June 1, 2023 21:18
qq_temporary_problem_(#4.3.0)
May 31, 2023 18:22
qq_temporary_problem_(#4.3.0)
May 31, 2023 14:42
qq_temporary_problem_(#4.3.0)
May 31, 2023 14:33
Thank you! for all the documentation, patches and support
May 26, 2023 08:42
free(): double free detected in tcache 2: /var/www/qmail/cgi-bin/qmailadmin
May 17, 2023 15:25
free(): double free detected in tcache 2: /var/www/qmail/cgi-bin/qmailadmin
May 17, 2023 07:46
Tags
apache clamav dkim dovecot ezmlm fail2ban hacks lamp letsencrypt linux linux-vserver lxc mariadb mediawiki mozilla mysql openboard owncloud patches php proftpd qmail qmail to postfix qmail-spp qmailadmin rbl roundcube rsync sieve simscan slackware solr spamassassin spf ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin
Comments
plugins Directory not created
GoofY April 2, 2023 10:06
Howdy,
Just a minor thing, there is no '/var/qmail/plugins' directory, create with
Reply | Permalink
plugins Directory not created
Roberto Puzzanghera GoofY April 2, 2023 10:13
Thank you. I'll make that directory created at compilation time in the next release
Reply | Permalink